Hashing

Hashing is a method for reducing large inputs to a smaller fixed size output. When doing forensics, typically cryptographic hashing algorithms like MD5 and SHA-1 are used. These functions have a few properties useful to forensics. Other types of hashing, such as Context Triggered Piecewise Hashing can also be used.

Online NSRL Lookup

(Infrequently available, and likely only when the site owner (Jason Spashett) needs to use it himself.)

MD5 Reverse Hash Services

There are several online services that allow you to enter a hash code and find out what the preimage might have been. One way to find these services is to google for 'd41d8cd98f00b204e9800998ecf8427e' (the MD5 of the null string).

Online Malware Hash Lookups

VirusTotal.com Online hash lookup no api/automation yet like Team Cymru but does frequently have hashes for current new malware

Segmented Hashing

Segmented hashing produces not a single hash value for the entire image, but a list of hashes of corresponding LBA ranges of the image. By validating all hashes in a set it is still verify image integrity. Segmented Hashes are saved in a CSV file with the following format: hash, start LBA, end LBA

When Segmented hashing is useful

Segmented hashes support multi-pass imaging and handling of bad sectors: Hashes are calculated only for the imaged regions, while all bad sectors are excluded from calculation. This allows to validate a hash even when the source drive is damaged.

Better resiliency against data corruption: If an acquired image gets damaged later, regular hash is invalid upon verification making the entire image useless. With segmented hashing, only a single hash value becomes invalid, while the rest of the image can still be validated.

Seghash on GitHub is a free open-source tool for both calculating and validating segmented hashes.